Microsoft SharePoint Server vulnerabilities could allow remote code execution
Report ID: MS201309001
Date Published: 11 September 2013
Criticality: Critical
Compromise Type: denial-of-service remote-code-execution privilege-escalation
Compromise From: remote
Affected Product/Component:
Microsoft Windows SharePoint Services 2.0
Microsoft Windows SharePoint Services 3.0
Microsoft SharePoint Foundation 2010
Microsoft SharePoint Server 2010
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Excel Services
Microsoft Business Productivity
Word Automation Services
Microsoft Excel Web App 2010
Summary
Ten vulnerabilities reported found in the Microsoft SharePoint Server could lead to denial of service, remote code execution and escalation of privilege situations.
Detailed Description
Microsoft has released a security update to address ten reported vulnerabilities in the Microsoft SharePoint Server. One is a denial of service vulnerability caused by improper starting of an unassigned workflow; Two are escalation of privilege vulnerabilities caused by improper sanitization of a request; and the other seven are remote code execution vulnerabilities caused by improper handling of objects in memory and improper input validation.
All of these vulnerabilities have been patched through the latest update, and users are recommended to install the update onto their system as a protection measure against exploit attempts.
CVE Reference
CVE-2013-0081, CVE-2013-1315, CVE-2013-1330, CVE-2013-3179, CVE-2013-3180, CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857, CVE-2013-3858
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms13-067)
F-Secure Health Check
F-Secure's free tool, the Health Check, detects if your system is missing the patch for the vulnerability covered in this report.
